[arch-general] Signing kernel modules

[Daniel Micay]

On 25/07/15 03:58 PM, Damjan Georgievski wrote:
> Since some time ago, the Linux kernel has had support for
> cryptographically signed
> modules, i.e. the kernel can be configured to only load properly signed modules.
> 
> https://www.kernel.org/doc/Documentation/module-signing.txt
> 
> 
> I wouldn't go to lengths explaining the benefits of it, I was just
> wondering if Arch has the
> infrastructure to sign the modules - since developers already sign the
> kernel package itself [*],
> and in that sense we (the users) already trust them to that level.
> 
> I'm not suggesting that CONFIG_MODULE_SIG_FORCE is enabled by default
> - that would break 3rd party modules, but people could optionally use
> the "enforcemodulesig=1" kernel command line option if they want to.
> 
> 
> Thoughts?
> 
> 
> [*]
> though packages are gpg signed, and modules use x.509

Signed modules don't really offer any added security with a vanilla
kernel because root still has full control over the kernel via other
known mechanisms (i.e. no exploits necessary). The feature is mostly
useful for enforcing a *policy* of not allowing third party modules,
similar to the kernel taint bits which can be overwritten if you really
feel like doing it.

It might be worth enabling it for linux-grsec. Many cases can already be
handled by setting modules_disabled=1 once the needed modules are loaded.

It's not a very compelling feature though because it's only truly useful
in combination with a fully read-only root and grsecurity's
romount_protect feature.

A strong MAC policy could also plug the other attack routes... but it's
also going to prevent loading modules for that role anyway.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20150725/a8e7938d/attachment.asc>